From a1fea9419729630d43075efc1a79b6ea9b695d88 Mon Sep 17 00:00:00 2001
From: Ben van B <030@users.noreply.github.com>
Date: Wed, 16 Oct 2024 22:50:01 +0200
Subject: [PATCH] feat: [#1][#2] Install python and run pytest (#3)

---
 .github/dependabot.yml                   |   7 ++
 .github/workflows/mcvs-pr-validation.yml |  19 ++++
 README.md                                |  37 +++++++-
 action.yml                               | 116 +++++++++++++++++++++++
 4 files changed, 178 insertions(+), 1 deletion(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/mcvs-pr-validation.yml
 create mode 100644 action.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..f253916
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'
diff --git a/.github/workflows/mcvs-pr-validation.yml b/.github/workflows/mcvs-pr-validation.yml
new file mode 100644
index 0000000..b337dc2
--- /dev/null
+++ b/.github/workflows/mcvs-pr-validation.yml
@@ -0,0 +1,19 @@
+---
+name: MCVS-PR-validation-action
+'on':
+  pull_request:
+    types:
+      - edited
+      - opened
+      - reopened
+      - synchronize
+  workflow_call:
+permissions:
+  contents: read
+  pull-requests: read
+jobs:
+  MCVS-PR-validation-action:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4.2.0
+      - uses: schubergphilis/mcvs-pr-validation-action@v0.2.0
diff --git a/README.md b/README.md
index ddcc112..5a24078 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,37 @@
-# mcvs-python-action
+# MCVS-python-action
+
 Mission Critical Vulnerability Scanner (MCVS) Python Action. Create Python code without high and critical vulnerabilities.
+
+## Usage
+
+Create a `.github/workflows/python.yml` file with the following content:
+
+```yaml
+---
+name: Python
+"on": push
+permissions:
+  contents: read # write if pyinstaller-binary-name is non-empty
+jobs:
+  MCVS-python-action:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4.1.1
+      - uses: schubergphilis/mcvs-python-action@v0.1.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+<!-- markdownlint-disable MD013 -->
+
+| Option                  | Default                              | Required | Description                                                                                                       |
+| :---------------------- | :----------------------------------- | -------- | :---------------------------------------------------------------------------------------------------------------- |
+| pyinstaller-binary-name |                                      |          | If populated, then a binary will be created using pyinstaller and attached to a release                           |
+| token                   | ' '                                  | x        | GitHub token that is required to push a package to the registry of the project and to pull cached Trivy DB images |
+| trivy-action-db         | ghcr.io/aquasecurity/trivy-db:2      |          | Replace this with a cached image to prevent bump into pull rate limiting issues                                   |
+| trivy-action-java-db    | ghcr.io/aquasecurity/trivy-java-db:1 |          | Replace this with a cached image to prevent bump into pull rate limiting issues                                   |
+
+<!-- markdownlint-enable MD013 -->
+
+Define the Python version of the project by adding it to a `.python-version`
+file.
diff --git a/action.yml b/action.yml
new file mode 100644
index 0000000..cc4babc
--- /dev/null
+++ b/action.yml
@@ -0,0 +1,116 @@
+---
+name: mcvs-python-action
+description: |
+  The Mission Critical Vulnerability Scanner (MCVS) Python action.
+inputs:
+  pyinstaller-binary-name:
+    description: The name of the binary that is created using pyinstaller.
+  trivy-action-db:
+    default: 'ghcr.io/aquasecurity/trivy-db:2'
+    description: |
+      OCI repository to retrieve trivy-db from.
+  trivy-action-java-db:
+    description: |
+      OCI repository to retrieve trivy-java-db from.
+    default: 'ghcr.io/aquasecurity/trivy-java-db:1'
+  token:
+    description: |
+      A token is required to allow the mcvs-python-action to push the
+      package that it has been built, to the packages repository of the GitHub
+      repository where the action has been run and to pull the cached trivy DBs
+      to prevent bump into pull rate limits.
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    #
+    # YAML linting.
+    #
+    - run: |
+        pip install --user yamllint==1.35.1
+        yamllint .
+      shell: bash
+    #
+    # Install the python version that has been defined in the .python-version
+    # file.
+    #
+    - uses: actions/setup-python@v5.2.0
+      with:
+        cache: 'pip'
+    #
+    # Code security scanning.
+    #
+    - uses: anchore/scan-action@v4.1.2
+      with:
+        only-fixed: false
+        output-format: table
+        path: '.'
+        severity-cutoff: high
+    - uses: 030/trivyignore-validator-action@v0.1.2
+    - name: Log in to GitHub Packages Docker registry
+      shell: bash
+      run: |
+        echo "${{ inputs.token }}" |\
+          docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - uses: aquasecurity/trivy-action@0.24.0
+      env:
+        TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
+        TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
+        TRIVY_PASSWORD: ${{ inputs.token }}
+        TRIVY_USERNAME: ${{ github.actor }}
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        trivyignores: .trivyignore
+    #
+    # If a requirements file exists in the project, then install the packages.
+    #
+    - name: Install PIP packages defined in requirements.txt
+      shell: bash
+      run: |
+        requirements_file=requirements.txt
+        if [ -f ${requirements_file} ]; then
+          pip install \
+            -r ${requirements_file}
+        fi
+    #
+    # Run pytest if 'import pytest' is found.
+    #
+    - name: Run tests
+      shell: bash
+      run: |
+        if grep -r 'import pytest' *.py; then
+          pytest \
+            --capture=no \
+            --cov=main test.py \
+            --cov-report term-missing \
+            --verbose
+        fi
+    #
+    # Build binary using pyinstaller and attach it to a release once a tag has
+    # been created.
+    #
+    # yamllint disable rule:line-length
+    - name: Check Conditions
+      id: condition_check
+      run: echo "Checking conditions..."
+      shell: bash
+      if: ${{ github.event_name == 'push' && contains(github.ref, 'refs/tags/') && inputs.pyinstaller-binary-name != '' }}
+    # yamllint enable rule:line-length
+    - name: Build binary using pyinstaller
+      if: ${{ steps.condition_check.outcome == 'success' }}
+      shell: bash
+      run: |
+        pip install pyinstaller==v6.10.0
+        pyinstaller --onefile main.py --name gomod-go-version-updater
+    - name: Attach a binary to a release
+      if: ${{ steps.condition_check.outcome == 'success' }}
+      uses: svenstaro/upload-release-action@2.9.0
+      with:
+        repo_token: ${{ inputs.token }}
+        file: dist/${{ inputs.pyinstaller-binary-name }}
+        asset_name: ${{ inputs.pyinstaller-binary-name }}
+        tag: ${{ github.ref }}